Kerberos (krb-wg)
-----------------

 Charter
 Last Modified: 2007-11-12

 Current Status: Active Working Group

 Chair(s):
     Jeffrey Hutzelman  <jhutz@cmu.edu>
     Larry Zhu  <lzhu@windows.microsoft.com>

 Security Area Director(s):
     Tim Polk  <tim.polk@nist.gov>
     Sam Hartman  <hartmans-ietf@mit.edu>

 Security Area Advisor:
     Sam Hartman  <hartmans-ietf@mit.edu>

 Mailing Lists: 
     General Discussion:ietf-krb-wg@lists.anl.gov
     To Subscribe:      https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
     Archive:           https://lists.anl.gov/pipermail/ietf-krb-wg/

Description of Working Group:

Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued over the years, and
interoperability has been problematic.  A number of draft proposals
have been issued concerning aspects of new or extended functionality.

The group will strive to improve the interoperability of these
systems while improving security.

Specifically, the Working Group will:

* Clarify and amplify the Kerberos specification (RFC 1510) to make 
sure
  interoperability problems encountered in the past that occurred
  because of unclear specifications do not happen again.  The output of
  this process should be suitable for Draft Standard status.

* Select from existing proposals on new or extended functionality those
  that will add significant value while improving interoperability and
  security, and publish these as one or more Proposed Standards.

 Goals and Milestones:

   Done         First meeting 

   Done         Submit the Kerberos Extensions document to the IESG for 
                consideration as a Proposed standard. 

   Done         Complete first draft of Pre-auth Framework 

   Done         Complete first draft of Extensions 

   Done         Submit K5-GSS-V2 document to IESG for consideration as a 
                Proposed Standard 

   Done         Last Call on OCSP for PKINIT 

   Done         Consensus on direction for Change/Set password 

   Done         PKINIT to IESG 

   Done         Enctype Negotiation to IESG 

   Done         Last Call on PKINIT ECC 

   Done         TCP Extensibility to IESG 

   Jul 2007       Set/Change Password to IESG 

   Jul 2007       Naming Constraints to IESG 

   Done         ECC for PKINIT to IESG 

   Aug 2007       Anonymity to IESG 

   Aug 2007       Hash agility for GSS-KRB5 to IESG 

   Aug 2007       Hash agility for PKINIT to IESG 

   Aug 2007       Choose direction for Kerberos v5.3 

   Sep 2007       WGLC on preauth framework 

   Nov 2007       WGLC on OTP 

   Nov 2007       WGLC on hardware preauth 

   Dec 2007       WGLC on data model 

   Dec 2007       WGLC on cross-realm issues 

   Jan 2008       WGLC on STARTTLS 

   Jan 2008       WGLC on Referrals 

   Mar 2008       WGLC on Kerberos v5.3 

   Mar 2008       WGLC on IAKERB 

   Mar 2008       WGLC on LDAP schema 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
May 2003 Sep 2007   <draft-ietf-krb-wg-kerberos-set-passwd-07.txt>
                Kerberos Set/Change Key/Password Protocol Version 2 

Sep 2005 Oct 2007   <draft-zhu-pkinit-ecc-04.txt>
                ECC Support for PKINIT 

Jun 2006 Jan 2008   <draft-ietf-krb-wg-anon-05.txt>
                Anonymity Support for Kerberos 

Jun 2006 Oct 2007   <draft-ietf-krb-wg-naming-04.txt>
                Additional Kerberos Naming Constraints 

Nov 2006 Nov 2007   <draft-ietf-krb-wg-gss-cb-hash-agility-03.txt>
                Kerberos Version 5 GSS-API Channel Binding Hash Agility 

Oct 2007 Dec 2007   <draft-ietf-krb-wg-cross-problem-statement-02.txt>
                Problem statement on the cross-realm operation of Kerberos 

Oct 2007 Jan 2008   <draft-ietf-krb-wg-otp-preauth-02.txt>
                OTP Preauthentication 

Oct 2007 Oct 2007   <draft-ietf-krb-wg-iakerb-00.txt>
                Initial and Pass Through Authentication Using Kerberos V5 and 
                the GSS- API (IAKERB) 

Dec 2007 Feb 2008   <draft-ietf-krb-wg-kdc-model-01.txt>
                An information model for Kerberos version 5 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC3962Standard  Feb 2005    AES Encryption for Kerberos 5 

RFC3961Standard  Feb 2005    Encryption and Checksum Specifications for Kerberos 5 

RFC4120Standard  Jul 2005    The Kerberos Network Authentication Service (V5) 

RFC4121Standard  Jul 2005    The Kerberos Version 5 Generic Security Service 
                       Application Program Interface (GSS-API) Mechanism: 
                       Version 2 

RFC4537 PS   Jun 2006    Kerberos Cryptosystem Negotiation Extension 

RFC4557 PS   Jun 2006    Online Certificate Status Protocol (OCSP) Support for 
                       Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC4556 PS   Jun 2006    Public Key Cryptography for Initial Authentication in 
                       Kerberos (PKINIT) 

RFC5021 PS   Aug 2007    Extended Kerberos Version 5 Key Distribution Center 
                       (KDC) Exchanges Over TCP